AIR provides catastrophe risk modeling solutions that make individuals, businesses, and society more resilient.
AIR Currents

July 12, 2017

Editor's Note: In this article, we discuss the potential for catastrophic losses due to industry-level damage caused by a systemic cyber attack that government agencies, insurers, and industry trade groups must prepare for. We also discuss tools that risk managers of all industries can use to analyze systemic cyber risk to determine an individual organization’s exposure to this risk.

In May, President Donald J. Trump signed an executive order to shore up the cybersecurity of U.S. systems and improve the coordination between the public and private sectors on cyber defense. The latter  goal specifically refers to  securing the critical industry sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” All companies are exposed to some level of cyber risk, but the most pressing issue facing companies today is systemic cyber risk—the extent to which the same form of cyber risk exists within most, if not all, companies within an industry and the potential for a single incident to affect the security and profitability of that entire industry.

BI Losses Can Far Exceed Losses from Direct Damage

The recent global ransomware attack known as WannaCry highlights how systemic cyber risk has unknowingly been allowed to permeate across society, becoming the most significant threat to critical industries. When these industries have cyber vulnerabilities in common, an exploitation of a vulnerability can result in damage to entire systems (industries) as opposed to individual parts or components (companies). The challenge with systemic cyber risk is that often its existence only becomes apparent—or activities to contain the risk only occur—after an incident. For example, global ransomware infections became widespread because many computer operating systems had not been updated with security patches, despite their being made available months beforehand.

Most concerning about systemic cyber risk is that collateral damage often far exceeds the direct damage of the cyber attack. For example, the business interruption losses WannaCry caused have been estimated to be in the billions of dollars, but the actual ransom collected by the hackers amounted to just over USD 140,000 as of the end of June. As more attacks of this nature occur, we can expect that the economic losses will mostly comprise business interruption loss, rather than losses associated with repair or recovery costs.

With cyber insurance coverage for business interruption loss still limited—due to relatively high waiting periods and other deductibles, and/or low limits—the burden of covering business interruption losses must be borne by the impacted industries themselves.

Gian CalvesbertGian Calvesbert, CCM
Senior Product Marketing Manager

Edited by Sara Gambrill, CCM


Because of the potential for catastrophic losses due to the industry-level damage that can occur as a result of a systemic cyber attack, risk managers should be asking: What is the level of systemic cyber risk within particular industries? Is the same type of systemic cyber risk present across many industries? What is the potential financial impact of a systemic cyber attack? What risk mitigation actions should industries be taking?

Quantifying Systemic Cyber Risk

The three-step, bottom-up process described in the following sections provides a view of systematic cyber risk more tailored to the specific industries and the companies within them.

1. Understanding the Industry-Level Virtual Supply Chain

Cyber risk is different from physical risk because the drivers of risk may not be correlated with an organization’s geographic location. For example, with flood risk one can look at all the properties that lie within a certain distance from a river or coast; in the case of cyber risk, a cloud service provider may have client companies scattered across the globe, so the location of the provider and its client companies are uncorrelated. This challenge is being addressed with technologies that monitor the public space of the internet, allowing risk managers to identify all the internet-based services that a company may rely on. Once detailed data on the virtual supply chain has been collected, risk managers can begin to understand the level of exposure to systemic cyber risk at an industry level.

2. Testing the Industry’s Resilience by Studying “What-If” Scenarios

The detailed data about the virtual supply chain can then be used to identify which cyber scenarios are most relevant and to quantify the systemic risk within an industry in the form of potential financial losses. For example, if a certain cloud provider is relied upon more than any other by many companies within an industry, then a downtime scenario for a range of outage durations for that specific cloud provider would reveal a distribution of potential outcomes. Similarly, these scenarios can also be used to quantify the impact of risk mitigation activities. What if the market share of cloud providers within an industry were more evenly distributed? What if all companies were to upgrade their software to the latest release versions? What if the adoption of cyber insurance by companies increases? By adjusting the underlying scenario conditions and retesting, risk managers can measure the financial benefits and compare them with the cost of implementation and enforcement of specific mitigation tactics.

Systemic cyber risk can manifest itself in many forms:

IT Service providers with significant market share. If a cloud service, domain name system (DNS), or other IT service provider were to experience service downtime as a result of a cyber incident, the business operations of all their clients could be shut down as well.

Zero-day vulnerabilities. If a malicious hacker discovers software vulnerabilities that are unknown to the manufacturer and are unpatched in commonly used software, the users of that software may be at risk of a coordinated attack.

Use of unpatched or end-of-life software. The risk of using unpatched or end-of-life software can be the same as using software with zero-day vulnerabilities, but the threat related to the use of unpatched or end-of-life software can be avoided by either updating the software in a timely manner or using the latest software releases.

Vulnerabilities within the internet infrastructure. There are many components of internet infrastructure, including internet service providers, internet exchange points, and content delivery networks. If any of these were to become unavailable, the internet and the services that are channeled through it would also no longer be available.


3. Estimating the Frequency of Systemic Cyber Events Occurring

Frequency estimates provide additional context for the distributions of losses obtained in the scenario analysis. They change the conversation from, “What will the impact of a cyber incident be?” to “How likely is it that such an incident will occur?” When probabilities are attached to the losses, risk managers can have discussions with executive management and begin to make risk mitigation decisions based on the organization’s unique risk appetite. For example, if the company is willing to live with an X% probability that a Y$ loss will occur, and has quantified those variables, the company can then allocate the optimal amount of funding for mitigation and response activities and evaluate the return on investment of those activities.

Limitations of the Market Share Approach

Risk managers have traditionally used market share analyses that use broad assumptions to estimate systemic cyber risk. To examine the limitations of a market share approach, AIR conducted an analysis utilizing its database of cyber industry exposures, which has data on the virtual supply chain of most U.S. businesses. The study consisted of grouping companies into different notional portfolios and measuring the market share of a specific IT service provider for each unique portfolio. The different portfolios’ market shares were then compared against the overall market share of the provider. Specifically, we looked at Dyn, a domain name service (DNS) provider, which was the victim of a mass denial of service attack that brought down the internet pages of many of its clients. Dyn is known to have a 4% market share. This 4% share would be the share applied broadly across any portfolio if a market share approach were used. Figure 1 shows how systemic cyber risk is likely to be misjudged within specific portfolios when using market shares.

Fig 1
Figure 1. AIR analysis of Dyn market shares within sample of notional portfolios.

AIR’s analysis shows that there is only a 20% chance that a unique portfolio has a Dyn market share of 4%, the known value. So in general terms, you have only a 20% chance of estimating your systemic cyber risk accurately when using a market share approach. In fact, you also have a 20% chance that the Dyn market share within a unique portfolio is 50–150% higher than the known value (i.e., 6–10% of market share). Risk managers should find it concerning that they have only a 20% chance of estimating their systemic cyber risk correctly when using a market share approach.

Modeling Systemic Cyber Risk Using ARC’s Detailed Accumulation Approach

AIR developed a detailed accumulation approach as an improvement over market share methods. A detailed accumulation approach utilizes data about a company’s virtual supply chain to determine with greater certainty which companies would be impacted by the systemic risk scenario. This approach provides a more confident view of the risk because it identifies the exposures that would actually be affected by the event and omits those that should not be considered. Below is a visual comparison of the two approaches.

Fig 2
Figure 2. Two identical portfolios are tested against the same cloud failure cyber scenario, using a market share approach (left) and ARC’s detailed accumulation approach (right).

In Figure 2, two identical portfolios are tested against the same cloud failure cyber scenario. Using a market share approach (left) the exposures impacted by the scenario are arbitrarily carved out. For example, if Cloud Vendor X has a 30% market share, then you would assume that same share exists within your portfolio and that 30% of your companies would be at risk of experiencing a loss if that cloud provider were to go down. With the detailed accumulation approach (right), companies are organized around the specific cloud providers each company actually relies on. By identifying these aggregation points, only the companies known to be at risk are considered.

AIR’s cyber risk modeling application, ARC, uses this detailed accumulation approach as the foundation for the various deterministic scenario models that can be used by risk managers from all industries. Coupled with AIR’s comprehensive database of industry exposures, ARC provides new insights into the causes and impacts of systemic cyber risk.




You’re almost done.
We need to confirm your email address.
To complete the registration process, please click the link in the email we just sent you.

Unable to subscribe at this moment. Please try again after some time. Contact us if the issue persists.

The email address  is already subscribed.